Secure App Deployment Before and After Android for Work

App Deployment Before Android™ for Work

Secure app deployment has been the biggest obstacle for enterprises looking to add Android to their BYOD environment. Before the release of Android for Work, IT could install apps on an Android device in just one of three ways, all of which have drawbacks:

1. Users install apps from Google Play. Google Play is the only universal way to securely install applications across all Android devices. However, prior to Android for Work, IT had no way of controlling which apps the user downloaded, nor any visibility into potential malware threats from these apps.

2. Users enable "unknown sources" in Settings to download apps. This action allows users to install apps from a variety of sources such as third-party app stores, file sharing utilities, web browsers, and email attachments. Although Google Play isn't a perfect security model, Google has advanced algorithms for statically and dynamically detecting malicious applications. On the other hand, when users download apps from unknown sources, the chance of installing malware on the device increases exponentially. Although many of these apps may come from legitimate sources, IT is justifiably uneasy about allowing unverified and untrusted apps on the enterprise network.

3. Apps leverage proprietary APIs from handset manufacturers. Some trusted apps can invoke these APIs so they can be installed on the device without requiring the user to enable unknown sources. In a BYOD environment however, these APIs are not universally available. There are usually too many device models that either don’t have extension APIs or they can't be supported by the EMM or MDM solutions vendor. For example, the popular Nexus line doesn't have any APIs that a vendor can use to install applications without requiring the user to enable unknown sources.

Android for Work: A New Way to Securely Deploy Apps

In Android for Work, IT can now deploy apps to a secure, enterprise-controlled container on the device. In this new model, EMM providers are the only mechanism for app deployment, and Google has introduced a whole new set of Google Play APIs to specifically support EMM app administration. With the Lollipop Android for Work profile, IT managers can deploy any Play app in the Google Play Store to a secure Android container without any additional wrapping. This offers tremendous advantages to both IT and end users:

  • IT ensures apps and data can be safely enabled in a secure, separate container on the device.
  • Users can choose from a pool of business apps that IT has pre-selected and verified for security.
  • Apps cannot be side-loaded into the native client or installed from unknown sources outside the container, which adds greater protection from malware.
  • Personal and business content remains separate on the device.
  • Private, in-house apps can be self-hosted either internally or through an EMM provider and excluded from public search results in the Google Play Store.

With Android for Work, secure app deployment is just the beginning. This new offering from Google introduces a whole range of new security features specifically designed to make Android adoption easier for enterprise customers. Learn more about these new capabilities and how they will impact your organization in "MobileIron's white paper, What Android for Work Means for the Enterprise."

Download the white paper here.

Android is a trademark of Google Inc. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.



Alexander Romero